Environment
Novell Vibe OnPrem 3
Situation
Vulnerability Details:
Type of vulnerability: Stored Cross-site scripting (XSS)
Who can exploit it: Local and Remote attackers
Risk: High
Vulnerability Description:
Users can include and store arbitrary client side code such as JavaScript in the Novell Vibe web application. The code then can be executed within an unsuspecting victim's browser.
The vulnerability exists due to the "/gwtTeaming.rpc" code not properly sanitizing user input into the "What Are You Working On?" or Micro Blog entry field. Also, the application fails to encode the output allowing for the
execution of the script.
Impact: Any user who can view another user's Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim's host.
Type of vulnerability: Stored Cross-site scripting (XSS)
Who can exploit it: Local and Remote attackers
Risk: High
Vulnerability Description:
Users can include and store arbitrary client side code such as JavaScript in the Novell Vibe web application. The code then can be executed within an unsuspecting victim's browser.
The vulnerability exists due to the "/gwtTeaming.rpc" code not properly sanitizing user input into the "What Are You Working On?" or Micro Blog entry field. Also, the application fails to encode the output allowing for the
execution of the script.
Impact: Any user who can view another user's Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim's host.
Resolution
The vulnerability was addressed/fixed in the final shipping version of Novell Vibe OnPrem 3
Status
Security AlertAdditional Information
Identifiers:
CVE-2010-4322
SERT-VDN-1002
Found and Reported by:
Rob Kraus, Paul Petefish, and Solutionary Engineering Research Team (SERT)